b'                a\xc2\xa0\n\n                \xc2\xa0\n\n                \xc2\xa0    U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n                \xc2\xa0    OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n                \xc2\xa0\n\n\n\n                     Improvements Needed to\n                     Secure IT Assets at\n                     EPA-Owned\n                     Research Facilities\n                     Report No. 13-P-0252                    May 8, 2013\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                               Rudolph M. Brevard\n                                                   Warren Brooks\n                                                   Teresa Richardson\n                                                   Jeremy Sigel\n                                                   Eric Jackson\n                                                   Kyle Denning\n\n\n\n\nAbbreviations\n\nAED           Atlantic Ecology Division\nCCTV          Closed-circuit television\nCOOP          Continuity of operations\nERD           Ecosystems Research Division\nEPA           U.S. Environmental Protection Agency\nGED           Gulf Ecology Division\nIT            Information technology\nLAN           Local Area Network\nNIST          National Institute of Standards and Technology\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nORD           Office of Research and Development\nPCs           Personal computers\nSP            Special Publication\nWEP           Wired Equivalent Privacy\nWPA           Wi-Fi Protected Access\nWPA2          Wi-Fi Protected Access II\n\n\nCover photos:\t Clockwise from top left: Unsecured thumb drives; signage at entrance;\n               Gulf Ecology Division buildings. (EPA OIG photos)\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue, NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                 13-P-0252\n                                                                                                              May 8, 2013\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review               Improvements Needed to Secure IT Assets at\nWe sought to determine to            EPA-Owned Research Facilities\nwhat extent management at\nU.S. Environmental Protection         What We Found\nAgency-owned research\nfacilities establish and             Facilities management at the Office of Research and Development facilities does\nimplement information security       not consistently apply, or in some cases establish, controls to protect IT assets.\npractices to protect Agency          We found instances where IT security practices at the facilities did not meet\ninformation technology assets.       minimal recommended controls for securing IT assets. Chief among our findings\nAgency IT assets must be             are the following:\nmaintained in accordance with\nsecurity requirements defined            \xef\x82\xb7   IT equipment was unprotected from and unmonitored for water damage.\nby applicable federal laws,              \xef\x82\xb7   Access to server rooms was unrestricted.\nexecutive orders, directives,\n                                         \xef\x82\xb7   No continuity of operations plan exists for provisioning IT equipment.\npolicies, standards, and\n                                         \xef\x82\xb7   Backup data were not stored offsite.\nregulations to ensure adequate\nconfidentiality, availability, and\n                                     The National Institute of Standards and Technology Special Publication 800-53,\nintegrity of the resources and\n                                     Recommended Security Controls for Federal Information Systems and\ninformation stored on or\n                                     Organizations, among other federal and Agency policies and procedures,\ntransmitted through the EPA\n                                     provides minimum security-control recommendations. Many security weaknesses\nnetwork. Network vulnerabilities\n                                     occurred at ORD facilities because these facilities did not follow federal and\ncan expose IT assets to\n                                     Agency guidance that prescribes measures for securing IT assets. Further, ORD\nsignificant risk and disrupt\n                                     facilities did not consistently perform or, when necessary, enhance security\noperations if not identified and\n                                     practices established to protect their facilities, as well as the IT resources within\nresolved.\n                                     their custody. Failure to consistently follow, perform, and monitor recommended\n                                     and established security practices compromises the security of IT assets,\nThis report addresses the            disrupts business operations, and exposes sensitive Agency information.\nfollowing EPA Goal or\nCross-Cutting Strategy:               Recommendations and Planned Agency Corrective Actions\n\xef\x82\xb7 Strengthening EPA\xe2\x80\x99s                Management agreed with 14 of the 18 report recommendations to improve\n  workforce and capabilities.        practices at ORD facilities. We consider these recommendations unresolved until\n                                     the Agency provides planned completion dates. Management did not agree with\n                                     recommendations to improve controls around the closed-circuit television system\n                                     and to protect servers from accidental water damage. These recommendations\n                                     are unresolved. We believe it is incumbent upon management to assess the\n                                     risks for not implementing these needed measures. Furthermore, when required\n                                     by federal guidance, management should document its decisions and have the\n                                     responsible official formally accept responsibility.\nFor further information, contact\nour Office of Congressional and       Noteworthy Achievements\nPublic Affairs at (202) 566-2391.\n                                     We conducted tests to determine the effectiveness of security practices for\nThe full report is at:               remote-access capability. We concluded that ORD labs implemented effective\nwww.epa.gov/oig/reports/2013/        IT security controls that prevent unauthorized connection and communication by\n20130508-13-P-0252.pdf\n                                     limiting access to the Agency\xe2\x80\x99s network through wireless network-access points.\n\x0c                        UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                     WASHINGTON, D.C. 20460\n\n\n                                                                                    THE INSPECTOR GENERAL\n\n\n\n\n                                              May 8, 2013\n\n\nMEMORANDUM\n\n\nSUBJECT:\t Improvements Needed to Secure IT Assets at EPA-Owned Research Facilities\n          Report No. 13-P-0252\n\n\nFROM:          Arthur A. Elkins Jr.\n\n\nTO:\t           Lek Kadeli, Principal Deputy Assistant Administrator\n               Office of Research and Development\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General of the U.S.\nEnvironmental Protection Agency. This report contains findings that describe the problems the OIG has\nidentified and corrective actions the OIG recommends. This report represents the opinion of the OIG and\ndoes not necessarily represent the final EPA position. EPA agreed with 14 of the recommendations.\nHowever, we consider these recommendations unresolved until ORD provides estimated completion\ndates. The Agency and the OIG disagreed on the other four recommendations and these will be\naddressed through the audit resolution process. Final determinations on matters in this report will be\nmade by EPA managers in accordance with established audit resolution procedures.\n\nAction Required\n\nIn accordance with EPA Manual 2750, the resolution process begins immediately with the issuance of\nthis report. We are requesting a meeting within 30 days between the Deputy Assistant Administrator for\nManagement for the Office of Research and Development and the OIG\xe2\x80\x99s Assistant Inspector General for\nthe Office of Audit to resolve the four recommendations to which ORD disagrees. During the 30 days,\nwe are requesting the planned completion dates for the remaining 14 recommendations. If resolution is\nstill not reached, the ORD is required to complete and submit the dispute resolution request to the Chief\nFinancial Officer to continue resolution.\n\nIf you or your staff have any questions regarding this report, please contact Richard Eyermann, Acting\nAssistant Inspector General for the Office of Audit, at (202) 566-0565 or eyermann.richard@epa.gov; or\nRudolph M. Brevard, Director of Information Resources Management Audits, at (202) 566-0893 or\nbrevard.rudy@epa.gov.\n\x0cImprovements Needed to Secure IT Assets at                                                                                 13-P-0252\nEPA-Owned Research Facilities\n\n\n\n                                  Table of Contents\n\nChapters\n   1    Introduction ........................................................................................................      1\n\n\n                Purpose .......................................................................................................    1     \n\n                Background .................................................................................................       1     \n\n                Noteworthy Achievements ...........................................................................                1     \n\n                Scope and Methodology .......................................................................                      1\n\n\n   2    Agency\xe2\x80\x99s Network and Data Vulnerable to Unauthorized Access.................                                               3\n\n\n                Network Connectivity at Risk Due to Unlocked Wiring Closets ...................                                    3\n\n                Network at Risk Due to Unrestricted LAN Access\n                  and Unpatched PCs ...............................................................................                3\n\n                Access to Unsecured IT Assets Could Disclose Sensitive Data .................                                      4\n\n                Recommendations ...............................................................................                    5\n\n                Agency Response and OIG Evaluation ...................................................                             5\n\n\n   3    IT Assets Unprotected by Physical and Environmental Controls .................                                             6\n\n\n                Security Practices for Removal of IT Equipment Are\n                  Not Consistently Implemented................................................................                     6\n\n                Facilities and IT Property Unprotected from Unauthorized Access .............                                      7\n\n                Physical Access to Server Room Unrestricted ............................................                           7\n\n                Facilities\xe2\x80\x99 Closed-Circuit Television System Unequipped to Monitor\n                  All Entry Points .......................................................................................         8\n\n                Recommendations ......................................................................................             8     \n\n                Agency Response and OIG Evaluation .......................................................                         9\n\n\n   4    Facilities Unprepared to Continue Operations in Emergency Situations.....                                                 10 \n\n\n                Sanitized Media Untested for Removal of Sensitive Information.................                                    10 \n\n                IT Resources Not Identified for Continuity of Business Operations.............                                    10 \n\n                Critical Backup Media Not Stored Offsite for Continuity of\n                   Business Operations ..............................................................................             11 \n\n                Tested Emergency Power Supply and Water-Detection Devices\n                   Needed for Continuity of Business Operations.......................................                            11 \n\n                Recommendations ......................................................................................            12     \n\n                Agency Response and OIG Evaluation .......................................................                        13 \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                        14\n\n\n\n                                                              -continued-\n\x0cImprovements Needed to Secure IT Assets at                                                         13-P-0252\nEPA-Owned Research Facilities\n\n\n\n\nAppendices\n   A    Findings and Recommendations by Site .........................................................   17 \n\n\n   B    Agency Response to Draft Report \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                             20 \n\n\n   C    Agency Response to OIG Revised Recommendations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.............                                29 \n\n\n   D    Distribution\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                                       34\n\n\x0c                                  Chapter 1\n\n                                   Introduction\nPurpose\n            We sought to determine to what extent management at U.S. Environmental\n            Protection Agency research facilities establish and implement security practices to\n            protect Agency information technology assets.\n\nBackground\n            IT assets require countermeasures and security controls that protect computer-\n            processing capabilities and mitigate the risk of loss caused by theft, fire, flood,\n            intentional destruction and damage, mechanical equipment and power failures,\n            and unauthorized access. Security controls are the management, operational, and\n            technical safeguards employed in an information system to protect the\n            confidentiality, integrity, and availability of the system and its information.\n            Without protective countermeasures and security controls applied to information\n            systems, Agency operations could be disrupted.\n\nNoteworthy Achievements\n            For each of the sites visited, we conducted tests to determine the effectiveness of\n            security practices for remote-access capability. Remote access is the ability to\n            communicate with another computer or network over communication lines.\n            From our tests, we concluded that Office of Research and Development labs\n            implemented effective IT security controls that prevent unauthorized connection\n            and communication by limiting access to the Agency\xe2\x80\x99s network through wireless\n            network-access points.\n\nScope and Methodology\n            We conducted this performance audit in accordance with generally accepted\n            government auditing standards. Those standards require that we plan and perform\n            the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\n            for our findings and conclusions based on our audit objectives. We believe that\n            the evidence obtained provides a reasonable basis for our findings and\n            conclusions based on our audit objectives.\n\n            We conducted this audit from February 2011 through October 2012. We\n            evaluated the EPA\xe2\x80\x99s controls designed to protect IT assets from physical,\n            environmental, and human threats. We focused on facilities that the EPA owns\n            and therefore has sole responsibility for the security of IT assets. We further\n\n\n13-P-0252                                                                                         1\n\x0c            limited our selection to program offices that occupy the majority of these\n            facilities.\n\n            ORD labs are the primary occupants for 12 of the 21 EPA-owned facilities.\n            From this group of 12 facilities, we chose to visit the following 3 facilities:\n\n                \xef\x82\xb7   Gulf Ecology Division, Gulf Breeze, Florida\n                \xef\x82\xb7   Atlantic Ecology Division, Narragansett, Rhode Island\n                \xef\x82\xb7   Ecosystems Research Division, Athens, Georgia\n\n            In addition, we used Office of Inspector General audit results from two other\n            ORD site locations. That assessment documented findings related to the IT\n            security of computer rooms at the ORD facility in Las Vegas, Nevada, and the\n            ORD lab in Corvallis, Oregon. The results of these site visits are reported in the\n            OIG Report, EPA Should Improve Management Practices and Security Controls\n            for Its Network Directory Service System and Related Servers, Report No.\n            12-P-0836, September 20, 2012. Appendix A summarizes our findings from all of\n            the assessed ORD facilities.\n\n            We used the National Institute of Standards and Technology Special Publication\n            800-53, Revision 3, Recommended Security Controls for Federal Information\n            Systems and Organizations, May 1, 2010, as the template for evaluating IT\n            security controls at ORD labs. We also referred to the U.S. Government\n            Accountability Office Federal Information System Control Audit Manual,\n            February 2009, GAO-09-232G, for guidance on general controls categories and\n            for additional descriptions of control activities that should be included in IT\n            security practices.\n\n            We designed an assessment tool that covers the following five NIST SP 800-53,\n            Revision 3, security-control families:\n\n               \xef\x82\xb7    Physical and Environmental Protection\n               \xef\x82\xb7    Access Control\n               \xef\x82\xb7    Media Protection\n               \xef\x82\xb7    System and Communications Protection\n               \xef\x82\xb7    Contingency Planning\n\n            We interviewed management at the ORD facilities, ORD program personnel,\n            system administrators, and security personnel. We requested and reviewed the\n            facilities\xe2\x80\x99 local procedures, as well as relevant federal and Agency policies and\n            procedures. Further, we conducted tests to verify the implementation and\n            effectiveness of security controls and practices. We did not conduct follow-up\n            audit work because there were no previous reports in this area.\n\n\n\n\n13-P-0252                                                                                       2\n\x0c                                   Chapter 2\n\n            Agency\xe2\x80\x99s Network and Data Vulnerable to \n\n                     Unauthorized Access \n\n             ORD facilities do not have established controls that secure or mitigate risks to the\n             Agency\xe2\x80\x99s network and data. Specifically, we found that ORD facilities\n             management did not protect wiring closets, Local Area Network access points,\n             and personal computers from unauthorized access. Although we found that ORD\n             management is limiting access to the Agency\xe2\x80\x99s network through wireless network\n             access points, the encryption security for these access points can be improved.\n             Agency guidance recommends safeguards that secure networks and data, and\n             mitigate risks from misuse and other security breaches. The weaknesses we\n             identified are the result of facilities management not adhering to and\n             implementing Agency security requirements. Failure to actively manage access to\n             the Agency\xe2\x80\x99s network and data can lead to theft, destruction, or the compromise\n             of sensitive information.\n\nNetwork Connectivity at Risk Due to Unlocked Wiring Closets\n             By failing to require the use of keys or electronic door locks, ORD facilities\n             management is not restricting access to critical wiring closets. These closets\n             contain cabling and switches that connect facility computers to the LAN and the\n             Agency\xe2\x80\x99s network. NIST SP 800-53, Revision 3, recommends securing\n             information system distribution and transmission lines, including the wiring\n             closets. Wiring closets are unsecured because management at the ORD facilities\n             relies on limited security guard patrol to keep buildings and assets protected.\n             Although guard patrols are a compensating control, there are not enough guards to\n             cover the entire site at all times. Unsecured wiring closets increase the likelihood\n             that unauthorized individuals could gain access to the telecommunications areas\n             and damage the networks\xe2\x80\x99 wires and cables.\n\nNetwork at Risk Due to Unrestricted LAN Access and Unpatched PCs\n             ORD facilities management has not implemented controls over production LAN\n             access to mitigate the risk of a compromised network. When we connected a\n             laptop as an unauthorized device to a random port, we were able to gain access to\n             the network. According to the Agency Network Security Policy, the Agency shall\n             implement protective mechanisms that ensure network security by regulating the\n             type and direction of network activities. We were able to make the unauthorized\n             connection because facilities management assumed the port was restricted to the\n             device that was currently connected to the port. An unrestricted port could allow a\n             device that contains viruses or other malware to connect and potentially infect the\n             Agency\xe2\x80\x99s network.\n\n13-P-0252                                                                                       3\n\x0c                    We also identified lab PCs connected to the production LAN,1 which did not have\n                    updated security patches. The Agency Network Security Policy requires system\n                    administrators to apply security patches and upgrades consistent with Agency-\n                    approved standards. Management at ORD facilities asserts that applying security\n                    patches to these lab computers would cause them to crash and lose research data.\n                    Further, lab staff stated that these computers must remain connected to the LAN\n                    for printing and research purposes. Without appropriate security patches, viruses\n                    and other malware could spread to the production LAN, as well as to other\n                    connected components.\n\nAccess to Unsecured IT Assets Could Disclose Sensitive Data\n                    ORD management is not protecting IT assets from unauthorized access via\n                    internal and external sources. We found workstations with critical financial\n                    applications, passwords, and thumb drives left unattended. According to the\n                    Agency Network Security Policy, EPA personnel, including contractors, are\n                    responsible for safeguarding sensitive information, in addition to managing and\n                    protecting passwords. However, management does not monitor staff to determine\n                    whether they comply with Agency IT security requirements. Failure to safeguard\n                    information, follow security guidelines, and monitor compliance could result in\n                    sensitive information being modified or stolen.\n\n                    In addition, our analysis revealed that wireless access point encryption security\n                    could be strengthened. The Agency Network Security Policy states that\n                    information safeguards (such as encryption, data filtering, tagging, or segregation)\n                    must be implemented to ensure that sensitive information is protected from\n                    disclosure, misuse, or other security breaches. Currently, ORD uses Wired\n                    Equivalent Privacy encryption as its wireless security method, which is less\n                    secure than Wi-Fi Protected Access or Wi-Fi Protected Access II encryption.\xc2\xa0\n                    However, ORD staff stated that they did not apply more robust security settings to\n                    the wireless access points because these access points are not physically or\n                    virtually connected to the facilities\xe2\x80\x99 network or the LAN. ORD staff further stated\n                    that limited security allows easier connection for visitors. Without these security\n                    settings, an attacker could launch a \xe2\x80\x9cMan-in-the-Middle\xe2\x80\x9d attack to intercept the\n                    path of communication and masquerade as a legitimate party, such as an\n                    EPA facility.\n\n                    \xc2\xa0\n\n\n\n\n1\n    Production LAN is the network in which current systems operate; it is separate from the development or test LAN.\n\n13-P-0252                                                                                                          4\n\x0cRecommendations\n            We recommend that the Principal Deputy Assistant Administrator for Research\n            and Development require facilities management personnel at:\n\n               1.\t The Gulf Ecology Division to install locks on all facility wiring closets\n                   protecting information technology assets. Additionally, require\n                   management personnel at all other ORD facilities to conduct inspections\n                   to verify functioning locks on wiring closets protecting information\n                   technology assets have been installed.\n\n               2.\t The Gulf Ecology Division to install locks on all facility exterior doors\n                   protecting information technology assets. Additionally, require\n                   management personnel at all other ORD facilities to verify functioning\n                   locks on exterior doors containing information technology assets have\n                   been installed.\n\n               3.\t All ORD facilities to configure LAN security software to prevent\n                   unauthorized device connection, and isolate or remove unpatched devices\n                   from the production LAN.\n\n               4.\t All ORD facilities to perform and document semiannual workstation\n                   audits to assess staff compliance with Agency IT security requirements.\n\n               5.\t All ORD facilities to strengthen encryption on all ORD wireless\n                   access points.\n\nAgency Response and OIG Evaluation\n            EPA concurs with the report recommendations. Subsequent to issuance of our draft\n            report, we met with Agency officials to discuss their concerns with the draft\n            report\xe2\x80\x99s recommendations. Where appropriate, we modified the report\xe2\x80\x99s\n            recommendations to address management\xe2\x80\x99s concerns. Appendix B provides the\n            Agency\xe2\x80\x99s original response to the draft report. Appendix C provides the crosswalk\n            between the OIG revised recommendations and the Agency\xe2\x80\x99s response to those\n            revised recommendations, along with the OIG overall analysis.\n\n\n\n\n13-P-0252                                                                                      5\n\x0c                                   Chapter 3\n\n            IT Assets Unprotected by Physical and \n\n                   Environmental Controls \n\n            Some ORD facilities do not follow established physical and environmental\n            practices that protect IT assets from unauthorized access. These conditions exist,\n            in some cases, due to a failure to enforce existing procedures for securing federal\n            property as documented in local facility security operating procedures.\n            The absence of consistently performed practices compromises the security of\n            significant IT assets and exposes them to theft.\n\nSecurity Practices for Removal of IT Equipment Are Not\nConsistently Implemented\n            Management at some ORD facilities has not consistently implemented local\n            security practices that could prevent the unauthorized removal of IT equipment.\n            For example:\n\n               \xef\x82\xb7   Security personnel do not inspect vehicles that enter and exit the grounds.\n               \xef\x82\xb7   Front-desk personnel do not, and have not been trained to, examine\n                   baggage entering and exiting the facility.\n               \xef\x82\xb7   Security personnel do not examine and compare property passes to\n                   employee ID badges to verify authorized removal of IT equipment.\n\n            Local standard operating procedures for security guard services and security\n            protection emphasize facility-specific security measures that protect buildings,\n            personnel, and government property. These guard post orders or procedures for\n            security operations stress tasks dedicated to the inspection of vehicles, baggage,\n            briefcases, and property passes. These procedures do exceed federal guidance, but\n            increase the likelihood of detecting unauthorized removal of government property\n            or other suspicious activities. We found that facilities management does not\n            enforce the inspection of employee vehicles, baggage, and property passes\n            because of familiarity with facility employees.\n\n            Additionally, we found that while contracted security services personnel are on\n            roving patrol of the facility, there are no security personnel at the facility\xe2\x80\x99s main\n            entrance to conduct random inspections and monitor surveillance equipment.\n            Contracted security services personnel are trained in general security services and\n            are further trained in facility-specific security procedures. They are expected to\n            meet minimum qualifications that allow them to conduct surveillance and protect\n            property. Expectations would be that personnel performing the security function\n            in the absence of the contracted security services personnel will be trained and\n            qualified to do so. Without a consistently implemented strategy to prevent the\n\n\n13-P-0252                                                                                         6\n\x0c            unauthorized removal of IT equipment or other government property, theft of IT\n            equipment (including sensitive data residing on the equipment) could occur.\n\nFacilities and IT Property Unprotected from Unauthorized Access\n            ORD IT assets are unguarded and unprotected from unauthorized physical access\n            and removal. First, we noted contractors freely entering and exiting an unlocked\n            room containing production servers that host facility security applications and\n            unsecured electronic key cards that grant access to the facility. Second, we noted\n            ORD staff entering and exiting buildings through unguarded and unmonitored\n            doors, providing no opportunity to monitor baggage that may contain\n            unauthorized items or equipment. Further, during a review of the facility\n            employee separation process, we noted that management has no process for\n            retrieving key cards and vehicle decals from contract employees before they\n            terminate employment at the facility.\n\n            NIST SP 800-53, Revision 3, specifies the monitoring of all entry and exit points\n            to account for IT property and authorized access. Further, it specifies that\n            agencies restrict access to only authorized personnel in areas where information\n            systems reside.\n\n            Unrestricted access to and from these ORD buildings exists because:\n\n               \xef\x82\xb7  Facilities management is not using locks or key card entry.\n               \xef\x82\xb7  Facilities personnel claim that budget restrictions prevent the monitoring\n                  of all building entrances and exits.\n               \xef\x82\xb7\t Facilities management has not established a policy requiring contract\n                  employees to return key cards and vehicle decals on the final day of their\n                  employment.\n\n            These weaknesses expose facilities to unauthorized and unrestricted access\n            and do not protect against the removal of valuable IT assets or the destruction\n            of property.\n\nPhysical Access to Server Room Unrestricted\n            Access to the ORD server rooms is not restricted to personnel with direct\n            responsibility for IT equipment. The access control listings show an excessive\n            number of personnel with access to the server rooms. NIST SP 800-53,\n            Revision 3, specifies that organizations authorize physical access to the facility\n            where the information system resides based on position or role. However, LAN\n            administrators are approving access requests without consideration for need or job\n            responsibility. Granting server room access to staff and visitors without a valid\n            purpose poses an increased risk of unauthorized changes to equipment.\n\n\n\n13-P-0252                                                                                       7\n\x0cFacilities\xe2\x80\x99 Closed-Circuit Television System Unequipped\nto Monitor All Entry Points\n            ORD facilities have limited camera coverage to monitor all building entrances.\n            In some cases, we found no security cameras at main entrances, lobbies, exit\n            doors, outside the server rooms, or near backup generators. In addition, we\n            observed limited external lighting, which prevents the proper surveillance of areas\n            such as parking lots, building annexes, and storage areas. Lighting should be\n            sufficient to illuminate potential areas of concealment; enhance the observation by\n            guard patrols; and provide for the safety of personnel moving between adjacent\n            parking areas, streets, alleyways, and around the facility. Site lighting should be\n            coordinated with the closed-circuit television system.\n\n            We also found that some facilities had inadequate CCTV digital video storage and\n            playback time. For example, some camera storage and playback time was only\n            48 to 72 hours; one facility used real-time monitoring, leaving no camera storage\n            and playback time for review.\n\n            The Interagency Security Committee\xe2\x80\x99s Physical Security for Federal Facilities\n            allows the EPA to determine the length of time for which digital images should be\n            stored, based upon facility operations and equipment capabilities. However, ORD\n            facilities have not established the amount of video storage time that is required for\n            retention and inspection purposes. The Security Management Division, Office of\n            Administrative Service, provides guidance that requires the EPA to archive\n            Agency CCTV recordings for up to 1 year at a secure location. Without ample\n            storage and playback time, facilities management will not have enough video to\n            evaluate evolving security incidents.\n\nRecommendations\n            We recommend that the Principal Deputy Assistant Administrator for Research\n            and Development require facilities management personnel at:\n\n               6.\t The Atlantic Ecology Division and Ecosystems Research Division to\n                   guard the facility entrances and exits to facilitate random checks of\n                   vehicles, baggage, and property passes. Additionally, require management\n                   personnel at all other ORD facilities to adhere to local facility security\n                   procedures if random checks of vehicles, baggage, and property passes are\n                   required.\n\n               7.\t The Atlantic Ecology Division to train all main-entrance personnel to\n                   inspect badges, baggage, and property passes. Additionally, require\n                   management personnel at all other ORD facilities to train, if needed, its\n                   main-entrance personnel on any required local facility security procedures\n                   for inspecting badges, baggage, and property passes at building entrances.\n\n\n13-P-0252                                                                                      8\n\x0c               8.\t All ORD facilities to lock the door to the room containing servers that host\n                   facility security applications or move servers to a secure location.\n\n               9.\t All ORD facilities to include contract employees in the facilities\xe2\x80\x99\n                   employment separation policy and procedures.\n\n              10. All ORD facilities to formalize a process that restricts access to ORD\n                  server rooms based upon job responsibility and need.\n\n              11. The Gulf Ecology Division and Atlantic Ecology Division to improve\n                  camera-monitoring systems and lighting to increase visibility at sites; and\n                  to monitor external buildings, server rooms, hallways, storage areas, and\n                  entries and exits. Additionally, require management personnel at all other\n                  ORD facilities to review camera-monitoring systems and lighting to\n                  ensure the equipment is functioning properly to facilitate monitoring of\n                  external buildings, server rooms, hallways, storage areas, and entries and\n                  exits.\n\n              12. The Gulf Ecology Division and Atlantic Ecology Division to increase\n                  CCTV monitoring storage time to meet EPA-approved storage\n                  requirements. Additionally, require management personnel at all other\n                  ORD facilities to review its practices to ensure CCTV monitoring storage\n                  time meets EPA-approved storage requirements.\n\nAgency Response and OIG Evaluation\n            EPA concurs with recommendations 6 through 10. Management does not concur\n            with recommendations to improve CCTV functionality, to improve monitoring of\n            ORD facilities, or to increase CCTV monitoring storage time. Management follows\n            Interagency Security Committee physical security standards, and these standards do\n            not define minimum coverage or minimum recording capacity for CCTV systems.\n            However, Closed-Circuit Television (CCTV) Systems Guidance requires the EPA to\n            archive Agency CCTV recordings for up to 1 year at a secure location. As such, it\n            is incumbent upon management to assess the risks and implement appropriate\n            controls. We found the lack of adequate building lighting and CCTV makes the\n            system ineffective for properly monitoring the facilities. Furthermore, CCTV\n            storage capacity is inadequate for aiding management\xe2\x80\x99s research if a security\n            breach or incident occurs.\n\n            Subsequent to issuance of our draft report, we met with Agency officials to discuss\n            their concerns with the report\xe2\x80\x99s recommendations. Where appropriate, we modified\n            the report\xe2\x80\x99s recommendations to address management\xe2\x80\x99s concerns. Appendix B\n            provides the Agency\xe2\x80\x99s original response to the draft report. Appendix C provides\n            the crosswalk between the OIG revised recommendations and the Agency\xe2\x80\x99s\n            response to those revised recommendations, along with the OIG overall analysis.\n\n\n\n13-P-0252                                                                                       9\n\x0c                                   Chapter 4\n\n     Facilities Unprepared to Continue Operations in \n\n                  Emergency Situations \n\n            ORD facilities have not tested, identified, or executed preventative planning\n            measures to ensure continuous business operations in the event of an emergency\n            or an unauthorized information disclosure. This occurred because ORD facilities\n            did not adhere to minimum security controls recommended by federal guidance.\n            Without these controls in place, ORD facilities could encounter a disruption in\n            business operations and experience a breach of sensitive information.\n\nSanitized Media Untested for Removal of Sensitive Information\n            ORD facilities are not testing sanitized media, such as hard drives, to ensure\n            future users do not obtain sensitive information. During our audit, we found that\n            media is sanitized in-house by the degaussing method. Degaussing any current-\n            generation hard disk will render the drive permanently unusable. This means that\n            a magnetized degaussing machine scans a hard drive until the heads of the drive\n            move, which signals the hard drive has been scrambled and is presumed to be no\n            longer functional. However, according to the Agency\xe2\x80\x99s Disk Sanitization\n            Procedures, for drives sanitized at the facility, IT personnel must test the drives on\n            a random basis to ensure the removal of all sensitive data. Our review found that\n            facility IT personnel rely on the degaussing method to make drives inoperable and\n            unable to maintain data, and did not test sanitized media. However, sanitized\n            media may contain sensitive data that could compromise the Agency if obtained\n            by unauthorized parties and should be tested.\n\nIT Resources Not Identified for Continuity of Business Operations\n            Continuity of operations plans for ORD facilities do not identify IT equipment\n            needs and the availability of IT equipment in the event of a COOP emergency.\n            ORD COOP plans did not properly identify IT equipment needed to prepare\n            alternative worksites, known as cold sites. In addition, the ORD COOP plans did\n            not provide listings of local stores from which to purchase IT equipment or the\n            names of government purchase cardholders authorized for procurement for each\n            ORD facility.\n\n            NIST SP 800-53, Revision 3, specifies ensuring that equipment and supplies\n            required to resume operations are available at the alternate site, or contracts\n            should be in place to support delivery of equipment and supplies to the site in\n            time to support the agency-defined time period for resumption of business\n            operations. In addition, the publication specifies that the organization establish an\n            alternate processing site, including necessary agreements to permit the resumption\n\n\n13-P-0252                                                                                      10\n\x0c                of information system operations for essential mission and business functions\n                when primary processing capabilities are unavailable.\n\n                ORD COOP plans do not include these details because ORD management did not\n                provide instructions for documenting IT equipment needs and usage in the event\n                of an emergency. Without defining and documenting IT equipment needs and\n                usage in the COOP plan, ORD labs may experience delays in the resumption of\n                business operations in the event of a COOP emergency.\n\nCritical Backup Media Not Stored Offsite for Continuity\nof Business Operations\n                ORD facilities do not have offsite backup data, as federal guidance prescribes.\n                According to NIST SP 800-53, Revision 3, agencies are responsible for ensuring\n                the recovery of data by storing backup copies of the data, the operating system,\n                and other critical information system software in a separate facility or fire-rated\n                container that is not co-located in the same physical area. ORD facilities store\n                backup tapes onsite because they rely on the primary site\xe2\x80\x99s fire-rated containers to\n                protect backup copies of data. However, if a geographic disaster destroys the\n                primary site, backup data will be destroyed as well, hindering resumption of\n                business operations.\n\nTested Emergency Power Supply and Water-Detection Devices\nNeeded for Continuity of Business Operations\n                We found that server rooms were untested for uninterrupted power supply,\n                which ensures continuous operations in the event of a disaster. According to NIST\n                SP 800-53, Revision 3, agencies are responsible for short-term uninterrupted\n                power supply for the orderly shutdown of information systems in the event of a\n                primary power source loss. In addition, Office of Management and Budget\n                Circular A-130, Appendix III, suggests that agencies have contingency planning\n                activities established and periodically tested in the event of service interruptions.\n                ORD IT personnel stated that they do not conduct testing of the uninterrupted\n                power supply due to the disruption of operations that would occur in the event of\n                a failed test. When asked, ORD IT personnel were not able to provide testing\n                documents or guidance for establishing preventative controls. ORD facilities\n                could face significant delays in restoring power if uninterrupted power supplies\n                do not perform as they should.\n\n                Moreover, we found servers placed under charged, wet-piped fire suppression\n                systems.2 At each facility we visited, we observed sprinklers located directly\n                above server racks, leaving them subject to water damage in the event of leakage.\n\n2\n In wet-piped sprinkler systems, the most common of all sprinkler systems, water remains in the overhead piping\n\nuntil a head fuses, causing the water pressure to force the water out to suppress a fire. \n\n\n\n13-P-0252                                                                                                      11\n\x0c            According to OMB Circular A-123, management is responsible for ensuring an\n            effective internal control environment is sustained. ORD management stated that\n            in the event of an emergency, protecting personnel is a higher priority than\n            protecting IT equipment. However, placing the servers under wet-pipe sprinkler\n            systems could lead to water damage, loss of critical scientific data, and loss of\n            backup tapes stored in server rooms.\n\n            Similarly, sensors to detect water leakage or flooding are not installed in server\n            rooms at ORD facilities. Our audit results found that ORD management did not\n            plan a strategy to address water-leakage events in the server room. The inability to\n            detect and alert IT personnel about server room flooding increases the likelihood\n            of damage to the server room and IT equipment, and could result in a disruption\n            of business operations.\n\nRecommendations\n\n            We recommend that the Principal Deputy Assistant Administrator for Research\n            and Development require facilities management personnel at:\n\n              13. All ORD facilities to develop and employ procedures for the random\n                  testing of sanitized drives to verify the removal of sensitive information.\n\n              14. The Gulf Ecology Division, Atlantic Ecology Division, and Ecosystems\n                  Research Division to update contingency plans to include:\n\n                        a. \t A list of required IT equipment provisions for essential staff in the\n                             event of an emergency.\n                        b.\t A list of local stores and vendors from which to procure IT\n                             equipment in order to maintain operations in an emergency.\n                        c.\t Procurement procedures and the names of authorized purchase\n                             cardholders in COOP plans for each ORD facility.\n\n                   Additionally, require management personnel at all other ORD facilities to\n                   provide operational resources and facilities in the event of an emergency.\n\n              15. All ORD facilities to relocate data backup tapes offsite to a secure\n                  location.\n\n              16. All ORD facilities to conduct and document annual tests (during non-\n                  business hours) of the uninterrupted power supply connected to servers.\n\n              17. The Gulf Ecology Division, Atlantic Ecology Division, and Ecosystems\n                  Research Division to move the server racks so that they are not located\n                  directly under sprinkler heads or water pipes, or install leak shields on\n                  sprinkler heads located above the server racks to comply with NIST\n                  SP 800-53 requirements. If management decides to accept the risk of not\n\n13-P-0252                                                                                       12\n\x0c                   relocating the server racks, then ORD should update the respective\n                   information system security plan and have the authorizing official\n                   formally accept the responsibility for operating the room with known risks\n                   as required by federal policy.\n\n              18. All ORD facilities to develop a strategy that addresses limiting water\n                  damage to IT assets located in the server room and include:\n\n                        a. \t A 24 hours/day, 7 days/week monitoring provision.\n                        b. \t Timely actions to be taken in the event of water leaks in the server\n                             room.\n\n                   If management decides to accept the risk of not developing a strategy to\n                   comply with NIST SP 800-53 requirements, then ORD should update the\n                   respective information system security plan and have the authorizing\n                   official formally accept the responsibility for operating the room with\n                   known risks as required by federal policy.\n\nAgency Response and OIG Evaluation\n\n            EPA concurs with recommendations 13 through 16. Management does not concur\n            with recommendations to improve the server room environmental controls to\n            protect the servers from accidental water damage. Management cites that installing\n            a shield could create an obstruction that could interrupt the water discharge and\n            result in the loss of life. Management also states the fire protection systems are\n            zoned in a manner to only discharge water in the area(s) that require fire\n            suppression, and if a leak occurs, the water and/or air pressure will drop and result\n            in an alarm.\n\n            Our audit revealed many of the ORD servers in question sit directly under the\n            sprinkler head, and the risks from accidental water damage could be reduced by\n            rearranging the servers within the room. However, it is incumbent upon\n            management to assess the risks for not implementing these needed measures.\n            Furthermore, when specified in federal guidance, management should document its\n            decisions within the organization\xe2\x80\x99s information system security plan. Additionally,\n            we requested documentation governing the fire system design and alarm system.\n            Management had not provided this information. Therefore, we consider these\n            recommendations unresolved.\n\n            Subsequent to issuance of our draft report, we met with Agency officials to discuss\n            their concerns with the report\xe2\x80\x99s recommendations. Where appropriate, we modified\n            the report\xe2\x80\x99s recommendations to address management\xe2\x80\x99s concerns. Appendix B\n            provides the Agency\xe2\x80\x99s original response to the draft report. Appendix C provides\n            the crosswalk between the OIG revised recommendations and the Agency\xe2\x80\x99s\n            response to those revised recommendations, along with the OIG overall analysis.\n\n\n13-P-0252                                                                                     13\n\x0c                             Status of Recommendations and\n                               Potential Monetary Benefits\n\n                                                                                                                            POTENTIAL MONETARY\n                                                 RECOMMENDATIONS                                                             BENEFITS (in $000s)\n\n                                                                                                                Planned\n Rec.   Page                                                                                                   Completion   Claimed    Agreed-To\n No.     No.                          Subject                           Status1        Action Official            Date      Amount      Amount\n\n  1      5     Require facilities management personnel at the             U       Principal Deputy Assistant\n               Gulf Ecology Division to install locks on all facility             Administrator for Research\n               wiring closets protecting information technology                       and Development\n               assets. Additionally, require management at all\n               other ORD facilities to conduct inspections to verify\n               functioning locks on wiring closets protecting\n               information technology assets have been installed.\n\n  2      5     Require facilities management personnel at the             U       Principal Deputy Assistant\n               Gulf Ecology Division to install locks on all facility             Administrator for Research\n               exterior doors protecting information technology                       and Development\n               assets. Additionally, require management at all\n               other ORD facilities to verify functioning locks on\n               exterior doors containing information technology\n               assets have been installed.\n\n  3      5     Require facilities management personnel at all             U       Principal Deputy Assistant\n               ORD facilities to configure LAN security software to               Administrator for Research\n               prevent unauthorized device connection, and                            and Development\n               isolate or remove unpatched devices from the\n               production LAN.\n\n  4      5     Require facilities management personnel at all             U       Principal Deputy Assistant\n               ORD facilities to perform and document                             Administrator for Research\n               semiannual workstation audits to assess staff                          and Development\n               compliance with Agency IT security requirements.\n\n  5      5     Require facilities management personnel at all             U       Principal Deputy Assistant\n               ORD facilities to strengthen encryption on all ORD                 Administrator for Research\n               wireless access points.                                                and Development\n\n  6      8     Require facilities management personnel at the             U       Principal Deputy Assistant\n               Atlantic Ecology Division and Ecosystems                           Administrator for Research\n               Research Division to guard facility entrances and                      and Development\n               exits to facilitate random checks of vehicles,\n               baggage, and property passes. Additionally,\n               require management at all other ORD facilities to\n               adhere to local facility security procedures if\n               random checks of vehicles, baggage, and property\n               passes are required.\n\n  7      8     Require facilities management personnel at the             U       Principal Deputy Assistant\n               Atlantic Ecology Division to train all main-entrance               Administrator for Research\n               personnel to inspect badges, baggage, and                              and Development\n               property passes. Additionally, require management\n               at all other ORD facilities to train, if needed, its\n               main-entrance personnel on any required local\n               facility security procedures for inspecting badges,\n               baggage, and property passes at building\n               entrances.\n\n\n\n\n13-P-0252                                                                                                                                     14\n\x0c                                                                                                                          POTENTIAL MONETARY\n                                                RECOMMENDATIONS                                                            BENEFITS (in $000s)\n\n                                                                                                              Planned\n Rec.   Page                                                                                                 Completion   Claimed    Agreed-To\n No.     No.                         Subject                          Status1        Action Official            Date      Amount      Amount\n\n  8      9     Require facilities management personnel at all           U       Principal Deputy Assistant\n               ORD facilities to lock the door to the room                      Administrator for Research\n               containing servers that host facility security                       and Development\n               applications or move servers to a secure location.\n\n  9      9     Require facilities management personnel at all           U       Principal Deputy Assistant\n               ORD facilities to include contract employees in the              Administrator for Research\n               facilities\xe2\x80\x99 employment separation policy and                         and Development\n               procedures.\n\n 10      9     Require facilities management personnel at all           U       Principal Deputy Assistant\n               ORD facilities to formalize a process that restricts             Administrator for Research\n               access to ORD server rooms based upon job                            and Development\n               responsibility and need.\n\n 11      9     Require facilities management personnel at the           U       Principal Deputy Assistant\n               Gulf Ecology Division and Atlantic Ecology Division              Administrator for Research\n               to improve camera-monitoring systems and lighting                    and Development\n               to increase visibility at sites; and to monitor\n               external buildings, server rooms, hallways, storage\n               areas, and entries and exits. Additionally, require\n               management at all other ORD facilities to review\n               camera-monitoring systems and lighting to ensure\n               the equipment is functioning properly to facilitate\n               monitoring of external buildings, server rooms,\n               hallways, storage areas, and entries and exits.\n\n 12      9     Require facilities management personnel at the           U       Principal Deputy Assistant\n               Gulf Ecology Division and Atlantic Ecology Division              Administrator for Research\n               to increase CCTV monitoring storage time to meet                     and Development\n               EPA-approved storage requirements. Additionally,\n               require management at all other ORD facilities to\n               review its practices to ensure CCTV monitoring\n               storage time meets EPA-approved storage\n               requirements.\n\n 13      12    Require facilities management personnel at all           U       Principal Deputy Assistant\n               ORD facilities to develop and employ procedures                  Administrator for Research\n               for the random testing of sanitized drives to verify                 and Development\n               the removal of sensitive information.\n\n 14      12    Require facilities management personnel at the           U       Principal Deputy Assistant\n               Gulf Ecology Division, Atlantic Ecology Division,                Administrator for Research\n               and Ecosystems Research Division to update its                       and Development\n               contingency plans to include:\n                  a. A list of required IT equipment provisions for\n                     essential staff in the event of an emergency.\n                  b. A list of local stores and vendors from which\n                     to procure IT equipment in order to maintain\n                     operations in an emergency.\n                  c. Procurement procedures and the names of\n                     authorized purchase cardholders in COOP\n                     plans for each ORD facility.\n               Additionally, require management personnel at all\n               other ORD facilities to provide operational\n               resources and facilities in the event of an\n               emergency.\n\n 15      12    Require facilities management personnel at all           U       Principal Deputy Assistant\n               ORD facilities to relocate data backup tapes offsite             Administrator for Research\n               to a secure location.                                                and Development\n\n\n13-P-0252                                                                                                                                   15\n\x0c                                                                                                                                POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                              BENEFITS (in $000s)\n\n                                                                                                                    Planned\n    Rec.    Page                                                                                                   Completion   Claimed    Agreed-To\n    No.      No.                          Subject                           Status1        Action Official            Date      Amount      Amount\n\n    16       12     Require facilities management personnel at all            U       Principal Deputy Assistant\n                    ORD facilities to conduct and document annual                     Administrator for Research\n                    tests (during non-business hours) of the                              and Development\n                    uninterrupted power supply connected to servers.\n\n    17       12     Require facilities management personnel at the            U       Principal Deputy Assistant\n                    Gulf Ecology Division, Atlantic Ecology Division,                 Administrator for Research\n                    and Ecosystems Research Division to move the                          and Development\n                    server racks so that they are not located directly\n                    under sprinkler heads or water pipes, or install leak\n                    shields on sprinkler heads located above the server\n                    racks to comply with NIST SP 800-53\n                    requirements. If management decides to accept the\n                    risk of not relocating the server racks, then ORD\n                    should update the respective information system\n                    security plan and have the authorizing official\n                    formally accept the responsibility for operating the\n                    room with known risks as required by federal\n                    policy.\n\n    18       13     Require facilities management personnel at all            U       Principal Deputy Assistant\n                    ORD facilities to develop a strategy that addresses               Administrator for Research\n                    limiting water damage to IT assets located in the                     and Development\n                    server room and include:\n                        a. A 24 hours/day, 7 days/week monitoring\n                           provision.\n                        b. Timely actions to be taken in the event of\n                           water leaks in the server room.\n                    If management decides to accept this risk of not\n                    developing a strategy to comply with NIST SP\n                    800-53 requirements, then ORD should update the\n                    respective information system security plan and\n                    have the authorizing official formally accept the\n                    responsibility for operating the room with known\n                    risks as required by federal policy.\n\n\n\n\n1    O = Recommendation is open with agreed-to corrective actions pending.\n\n     C = Recommendation is closed with all agreed-to actions completed.\n\n     U = Recommendation is unresolved with resolution efforts in progress.\n\n\n\n\n\n13-P-0252                                                                                                                                         16\n\x0c                                                                                           Appendix A\n\n                  Findings and Recommendations by Site\nTable A-1: Findings and recommendations by ORD site\n                                                                  ORD\n                                                                                              ORD\n                                                         GEDa     Las      AEDb     ERDc\n                                                                                             Corvallis\n  Issue reviewed           Recommendations                       Vegas\n                                                                X = Weakness found at location\n\n Network cables      Install locks on all facility\n                                                          X\n and switches        wiring closets.\n exposed to          Install locks on exterior doors\n tampering           to buildings that contain IT         X\n (p. 3)              assets.\n                     Configure LAN security\n Port security not\n                     software to prevent\n configured and PC\n                     unauthorized device\n security patches                                                                     X\n                     connection, and isolate or\n outdated\n                     remove unpatched devices\n (pp. 3\xe2\x80\x934)\n                     from the production LAN.\n                     Perform and document\n ORD workstations    semiannual workstation audits\n left unattended     to assess staff compliance           X                  X        X\n (p. 4)              with Agency IT security\n                     requirements.\n Wireless LAN\n connection          Strengthen encryption on all\n                                                          X\n unsecured           ORD wireless access points.\n (p. 4)\n                     Guard entrances and exits to\n                     facilitate random checks of\n IT equipment                                             X                  X        X\n                     vehicles, baggage, and\n susceptible to\n                     property passes.\n unauthorized\n                     Train all main-entrance\n removal\n                     personnel to inspect badges,\n (p. 6)                                                                      X\n                     baggage, and property\n                     passes.\n                     Lock the door to the room\n Key cards and\n                     containing servers that host\n host servers\n                     facility security applications or                                X\n unsecured\n                     move servers to a secure\n (p. 7)\n                     location.\n\n\n\n\n  13-P-0252                                                                                          17\n\x0c                                                                    ORD\n                                                                                               ORD\n                                                           GEDa     Las      AEDb     ERDc\n                                                                                              Corvallis\n Issue reviewed             Recommendations                        Vegas\n                                                                  X = Weakness found at location\nRetrieval of\ncontract employee      Include contract employees in\nkey cards not          the facilities\xe2\x80\x99 employment\n                                                                                        X\nconsistently           separation policy and\nperformed              procedures.\n(p. 7)\nExcessive              Formalize a process that\nauthorized server      restricts access to ORD server\n                                                            X                  X        X          X\nroom access            rooms based upon job\n(p. 7)                 responsibility and need.\n                       Improve camera-monitoring\n                       systems and lighting to\n                       increase visibility at sites; and\nFacilities not fully\n                       to monitor external buildings,       X         X        X                   X\nmonitored by\n                       server rooms, hallways,\nCCTV system\n                       storage areas, and entries and\nbuilding access\n                       exits.\npoints\n                       Increase the CCTV monitoring\n(pp. 7\xe2\x80\x938)\n                       storage time to meet EPA-\n                                                            X         X        X                   X\n                       approved storage\n                       requirements.\nUntested media\n                       Develop and employ\ndrives do not\n                       procedures for the random\nensure removal of\n                       testing of sanitized drives to                          X        X\nAgency\n                       verify the removal of sensitive\ninformation\n                       information.\n(p. 10)\n                       Update ORD COOP plans to\n                       include:\n                         a. A list of the required IT\n                                                            X                  X        X\n                             equipment provisions for\n                             essential staff in the\n                             event of an emergency.\n                         b. A list of local stores and\nCOOP plan                    vendors to procure IT\noutdated                     equipment from in order        X                  X        X\n(pp. 10\xe2\x80\x9311)                  to maintain operations in\n                             an emergency.\n                         c. Procurement procedures\n                             and the names of\n                             authorized purchase\n                                                            X                  X        X\n                             cardholders in COOP\n                             plans for each ORD\n                             facility.\n\n\n\n\n  13-P-0252                                                                                            18\n\x0c                                                                  ORD\n                                                                                             ORD\n                                                         GEDa     Las      AEDb     ERDc\n                                                                                            Corvallis\n  Issue reviewed            Recommendations                      Vegas\n                                                                X = Weakness found at location\n Backup tapes\n                       Relocate data backup tapes\n stored onsite                                            X                  X        X\n                       offsite to a secure location.\n (p. 11)\n Server rooms\n untested for\n uninterrupted\n                       Conduct and document annual\n power supplies,\n                       tests (during non-business\n and\n                       hours) of the uninterrupted                           X        X\n network cables\n                       power supply connected to\n and switches\n                       servers.\n exposed to\n tampering\n (p. 11)\n                     Move the server racks so that\n                     they are not located directly\n                     under sprinkler heads or water\n                                                          X                  X        X          X\n                     pipes, or install leak shields on\n                     or above the server racks.\n                     Develop a strategy that\n No water sensors    addresses limiting water\n installed in server damage to IT assets located in\n room                the server room and include:\n (p. 12)               a. A 24 hours/day,\n                            7 days/week monitoring        X                                      X\n                            provision.\n                       b. Timely actions to be\n                            taken in the event of a\n                            water leak in the server\n                            room.\nSource: OIG analysis of field work results.\n        a\n            Gulf Ecology Division\n        b\n            Atlantic Ecology Division\n        c\n            Ecosystems Research Division\n\n\n\n\n   13-P-0252                                                                                         19\n\x0c                                                                                     Appendix B\n\n                   Agency Response to Draft Report\n\nMEMORANDUM\n\nSUBJECT:\t Office of Research and Development (ORD) Response to the Office of Inspector\n          General (OIG)\xe2\x80\x99s Draft Report entitled, \xe2\x80\x9cImprovements Needed to Secure IT\n          Assets at EPA-Owned Research Facilities,\xe2\x80\x9d dated October 31, 2012\n\nFROM: \t        Lek G. Kadeli, Principal Deputy Assistant Administrator\n\nTO:    \t       Arthur Elkins, Inspector General\n               Office of Inspector General\n\nThank you for the opportunity to review and comment on OIG\xe2\x80\x99s Draft Report, \xe2\x80\x9cImprovements\nNeeded to Secure IT Assets at EPA-Owned Research Facilities.\xe2\x80\x9d Our comments are noted\nbelow.\n\nThe OIG report contained findings and recommendations concerning physical security at ORD\nfacilities as well as information technology security. Office of Administration and Resources\nManagement, Security Management Division (SMD) provides overarching guidance to the\nAgency regarding physical security issues and was consulted on this response.\n\nWe agree with SMD that the OIG review should have applied the Interagency Security\nCommittee (ISC) standards document entitled, \xe2\x80\x9cPhysical Security Criteria for Federal\nFacilities,\xe2\x80\x9d dated April 2012, in addition to the National Institute of Standards and Technology\n(NIST) Special Publication (SP) 800-53, \xe2\x80\x9cRecommended Security Controls for Federal\nInformation Systems and Organizations,\xe2\x80\x9d which served as OIG\xe2\x80\x99s primary basis for evaluation.\nNIST 800-53 contain security recommendations for federal information systems, whereas the\nISC standards apply to federal facilities. The ISC standards take into account a facility\xe2\x80\x99s assigned\nFacility Security Level (FSL) and have graduated security measures associated with the FSLs.\n\nMoreover, SMD conducts routine vulnerability (security) assessments at EPA facilities. The\nSMD assessments and recommendations for each EPA facility are tailored to their assigned\nFacility Security Level, in accordance with the ISC standards. Individual ORD sites have\nPhysical Security Plans that reflect their designated Facility Security Level. Therefore, ORD\nbelieves that the OIG\xe2\x80\x99s findings and the resulting recommendations should be specific to the\nsites where vulnerabilities were detected and not generalized to all ORD facilities.\n\nDetailed comments addressing each of the OIG\xe2\x80\x99s recommendations are provided in the\nattachment. If you have any questions regarding this response, please contact Deborah Heckman\nat (202) 564-7274.\n\n\n\n\n13-P-0252                                                                                        20\n\x0c Rec                                 Responsible\n No.    OIG Recommendation             Office                    ORD Response\n                                                   ORD concurs. However, note that the\n                                                   deficiency was only found at one facility\n                                                   (GED), and the recommended action is\n                                                   complete. ORD/OARS prefers that the\n       Direct facilities\n                                                   recommendation only be directed to the\n       management at all ORD\n                                                   facility where the finding was noted.\n  1    facilities to install locks   ORD/OARS\n                                                   ORD facilities have been made aware\n       on all facility wiring\n                                                   that this deficiency was noted at one\n       closets.\n                                                   facility, and therefore that all ORD\n                                                   facilities should review their status and\n                                                   take corrective actions if the deficiency\n                                                   exists.\n       Direct facilities\n       management at all ORD\n       facilities to install locks                 ORD non-concurs. All facilities have\n  2                                  ORD/OARS\n       on exterior doors to                        exterior door locks.\n       buildings that\n       contain IT assets.\n                                                   ORD concurs. Initial site specific\n                                                   findings from audit have been corrected.\n                                                   To address this issue at all ORD remote\n                                                   sites, ORD/OSIM will continue\n       Direct facilities                           implementation of the ORD Baseline\n       management at all ORD                       Switch project. This effort addresses\n       facilities to configure                     implementing a standard set of secure\n       LAN security software to                    configuration settings that prevent\n  3    prevent unauthorized          ORD/OSIM      unauthorized device connections to the\n       device connection, and                      production LAN. ORD/OSIM conducts\n       isolate or remove                           patching as required by the Agency\n       unpatched devices from                      Computer Security Incident Response\n       the production LAN.                         Capability (CSIRC). As un-patched\n                                                   systems are identified in various agency\n                                                   reports and operational efforts, these\n                                                   systems will be reviewed and brought\n                                                   up to the necessary patch level.\n\n\n\n\n13-P-0252                                                                                 21\n\x0c Rec                               Responsible\n No.    OIG Recommendation           Office                   ORD Response\n                                                 ORD concurs. ORD/OSIM will\n       Direct facilities                         coordinate performance of semiannual\n       management at all ORD                     workstations audits at all ORD sites to\n       facilities to perform and                 assess staff compliance with Agency IT\n       document semiannual                       security requirements. In addition to\n  4                                ORD/OSIM\n       workstation audits to                     semiannual audits, ORD/OSIM will\n       assess staff compliance                   create an ORD informational message to\n       with Agency IT                            educate ORD personnel on securing\n       security requirements.                    workstations and portable devices as\n                                                 required by Agency IT Security policy.\n                                                 ORD concurs. Corrective actions have\n                                                 been completed. ORD/OSIM has\n                                                 completed a review and confirmed that\n       Direct facilities\n                                                 encryption levels on all ORD Guest\n       management at all ORD\n                                                 WLAN implementations at ORD remote\n  5    facilities to strengthen    ORD/OSIM\n                                                 sites meet the ORD standard and OIG\n       encryption on all ORD\n                                                 recommendation. This action was\n       wireless access points.\n                                                 confirmed completed on 11/26/12. ORD\n                                                 requests closure of this\n                                                 recommendation.\n\n\n\n\n13-P-0252                                                                             22\n\x0c Rec                                  Responsible\n No.    OIG Recommendation              Office                   ORD Response\n                                                    ORD non-concurs. Security\n                                                    Management Division (SMD) conducts\n                                                    routine vulnerability (security)\n                                                    assessments at EPA facilities.\n                                                    Assessments and recommendations are\n                                                    driven by the assigned Facility Security\n                                                    Level in accordance with Interagency\n                                                    Security Committee standards.\n                                                    Individual ORD sites have Physical\n       Direct facilities                            Security Plans that reflect their\n       management at all ORD                        designated Facility Security Level and\n       facilities to guard facility                 measures tailored to their location and\n  6    entrances and exits to         ORD/OARS      vulnerability assessment. The single\n       facilitate random checks                     recommendation proposed is not\n       of vehicles, baggage, and                    appropriate for all sites. Physical\n       property passes.                             security assessments and\n                                                    recommendations should align with\n                                                    SMD reports and reflect their designated\n                                                    security level. Minimum\n                                                    recommendations are summarized in the\n                                                    EPA Minimum Security Requirements\n                                                    found at\n                                                    http://intranet.epa.gov/oa/smd/pdfs/ps-\n                                                    dat-security-\n                                                    requirements_final_0507.pdf .\n\n\n\n\n13-P-0252                                                                                 23\n\x0c Rec                                   Responsible\n No.    OIG Recommendation               Office                   ORD Response\n                                                     ORD non-concurs. Security\n                                                     Management Division (SMD) conducts\n                                                     routine vulnerability (security)\n                                                     assessments at EPA facilities.\n                                                     Assessments and recommendations are\n                                                     driven by the assigned Facility Security\n                                                     Level in accordance with Interagency\n                                                     Security Committee standards.\n                                                     Individual ORD sites have Physical\n                                                     Security Plans that reflect their\n       Direct facilities                             designated Facility Security Level and\n       management at all ORD                         measures tailored to their location and\n       facilities to train all main-                 vulnerability assessment. The single\n  7                                    ORD/OARS\n       entrance personnel to                         recommendation proposed is not\n       inspect badges, baggage,                      appropriate for all sites.\xc2\xa0Physical\n       and property passes.                          security assessments and\n                                                     recommendations should align with\n                                                     SMD reports and reflect their designated\n                                                     security level. Minimum\n                                                     recommendations are summarized in the\n                                                     Environmental Protection Agency\n                                                     Minimum Security Requirements found\n                                                     at\n                                                     http://intranet.epa.gov/oa/smd/pdfs/ps-\n                                                     dat-security-\n                                                     requirements_final_0507.pdf .\n       Direct facilities\n       management at all ORD\n       facilities to lock the door\n       to the room containing                        ORD concurs. All servers in ORD/ERD\n  8                                    ORD/OARS\n       servers that host facility                    are now secured behind locked doors.\n       security applications or\n       move servers to a secure\n       location.\n       Direct facilities\n       management at all ORD                         ORD concurs. ORD/ERD now has a\n       facilities to include                         procedure for processing separated\n  9    contract employees in the       ORD/OARS      contract employees. The procedure\n       facilities\xe2\x80\x99 employment                        includes collecting keys, badges, swipe\n       separation policy and                         cards and parking permits.\n       procedures.\n\n\n\n\n13-P-0252                                                                                      24\n\x0c Rec                                   Responsible\n No.    OIG Recommendation               Office                   ORD Response\n                                                     ORD concurs. ORD/OSIM and facilities\n       Direct facilities                             staff reviewed and remediated specific\n       management at all ORD                         findings from the audit to ensure that\n       facilities to formalize a                     server room access lists ensure only\n       process that restricts                        personnel with job duties requiring\n 10                                    ORD/OSIM\n       access to ORD server                          unescorted access to server rooms are\n       rooms based upon job                          permitted entry. ORD/OSIM will create\n       responsibility and                            formal procedures for the review and\n       need.                                         management of server room access will\n                                                     be created.\n                                                     ORD non-concurs. Security\n                                                     Management Division (SMD) conducts\n                                                     routine vulnerability (security)\n                                                     assessments at EPA facilities.\n                                                     Assessments and recommendations are\n                                                     driven by the assigned Facility Security\n                                                     Level in accordance with Interagency\n                                                     Security Committee standards.\n                                                     Individual ORD sites have Physical\n                                                     Security Plans that reflect their\n                                                     designated Facility Security Level and\n       Direct facilities\n                                                     measures tailored to their location and\n       management at all ORD\n                                                     vulnerability assessment. The single\n       facilities to improve\n                                                     recommendation proposed is not\n       camera-monitoring\n                                                     appropriate for all sites. Physical\n       systems and lighting to\n 11                                    ORD/OARS      security assessments and\n       increase visibility at sites;\n                                                     recommendations should align with\n       and to monitor external\n                                                     SMD reports and reflect their designated\n       buildings, server rooms,\n                                                     security level. Minimum\n       hallways, storage areas,\n                                                     recommendations are summarized in the\n       and entries and exits.\n                                                     Environmental Protection Agency\n                                                     Minimum Security Requirements found\n                                                     at\n                                                     http://intranet.epa.gov/oa/smd/pdfs/ps-\n                                                     dat-security-\n                                                     requirements_final_0507.pdf. It should\n                                                     be noted that although not required,\n                                                     ORD has taken proactive steps beyond\n                                                     the EPA Minimum Security\n                                                     Requirements by increasing CCTV data\n                                                     storage capability at several locations.\n\n\n\n\n13-P-0252                                                                                  25\n\x0c Rec                                Responsible\n No.    OIG Recommendation            Office                   ORD Response\n                                                  ORD non-concurs. Security\n                                                  Management Division (SMD) conducts\n                                                  routine vulnerability (security)\n                                                  assessments at EPA facilities.\n                                                  Assessments and recommendations are\n                                                  driven by the assigned Facility Security\n                                                  Level in accordance with Interagency\n                                                  Security Committee standards.\n                                                  Individual ORD sites have Physical\n                                                  Security Plans that reflect their\n                                                  designated Facility Security Level and\n                                                  measures tailored to their location and\n       Direct facilities                          vulnerability assessment. The single\n       management at all ORD                      recommendation proposed is not\n       facilities to increase the                 appropriate for all sites. Physical\n 12    CCTV monitoring storage      ORD/OARS      security assessments and\n       time to meet EPA-                          recommendations should align with\n       approved storage                           SMD reports and reflect their designated\n       requirements.                              security level. Minimum\n                                                  recommendations are summarized in the\n                                                  Environmental Protection Agency\n                                                  Minimum Security Requirements found\n                                                  at\n                                                  http://intranet.epa.gov/oa/smd/pdfs/ps-\n                                                  dat-security-\n                                                  requirements_final_0507.pdf. It should\n                                                  be noted that although not required,\n                                                  ORD has taken proactive steps beyond\n                                                  the EPA Minimum Security\n                                                  Requirements by increasing CCTV data\n                                                  storage capability at several locations.\n                                                  ORD concurs. The ORD Electronic\n       Direct facilities                          Media Sanitization Standard Operating\n       management at all ORD                      Procedure (SOP) was updated on\n       facilities to develop and                  August 6, 2012. This SOP update\n       employ procedures for the                  identified the requirement for validating\n 13                                 ORD/OSIM\n       random testing of                          the success of sanitization efforts.\n       sanitized drives to verify                 ORD/OSIM will communicate this\n       the removal of sensitive                   requirement by distributing this\n       information.                               procedure to staff who perform this\n                                                  duty.\n\n\n\n\n13-P-0252                                                                                26\n\x0c Rec                                  Responsible\n No.    OIG Recommendation              Office                   ORD Response\n       Direct facilities\n                                                    ORD non-concurs. EPA Order 2030.1A,\n       management at all ORD\n                                                    Continuity of Operations (COOP)\n       facilities to update ORD\n                                                    Policy is the Agency\'s contingency\n       COOP plans to include:\n                                                    planning policy for identification of\n       a. A list of required IT\n                                                    COOP site requirements. ORD\n       equipment provisions for\n                                                    laboratories (except for those physically\n       essential staff in the event\n                                                    located in RTP and Cincinnati, where\n       of an emergency.\n                                                    OARM has the COOP lead) were\n       b. A list of local stores\n                                                    excluded from the Order as they do not\n       and vendors to procure\n 14                                   ORD/OARM      directly support Agency mission\n       IT equipment from in\n                                                    essential functions (MEFs). Under NIST\n       order to maintain\n                                                    800-34 Rev 1 (page 18), "Information\n       operations in an\n                                                    systems that do not support COOP\n       emergency.\n                                                    functions do not require alternate sites\n       c. Procurement procedures\n                                                    as part of the ISCP (Information System\n       and the names of\n                                                    Contingency Plan) recovery strategy..."\n       authorized purchase\n                                                    Therefore, ORD laboratories are not\n       cardholders in COOP\n                                                    required to maintain alternate work\n       plans for each ORD\n                                                    sites.\n       facility.\n                                                    ORD concurs. ORD/OSIM is\n                                                    configuring ORD sites to backup data\n                                                    over the Agency WAN to\n                                                    geographically dispersed primary and\n                                                    secondary backup locations. Many ORD\n                                                    remote sites have transitioned into this\n       Direct facilities                            configuration, while others are planning\n       management at all ORD                        to do so as budget and resources permit.\n 15    facilities to relocate data    ORD/OSIM      ORD/OSIM will review ORD remote\n       backup tapes offsite to a                    site data that is not currently included in\n       secure location.                             this plan to determine the need for back-\n                                                    up based on the criticality of the data.\n                                                    Additionally, ORD/OSIM will\n                                                    determine operational and cost\n                                                    implications of completing an electronic\n                                                    backup or secure remote storage of\n                                                    back-up tapes for this data.\n\n\n\n\n13-P-0252                                                                                     27\n\x0c Rec                                  Responsible\n No.     OIG Recommendation             Office                   ORD Response\n       Direct facilities\n       management at all ORD\n                                                    ORD concurs. ORD/OSIM will conduct\n       facilities to conduct and\n                                                    further research to determine the\n       document annual tests\n                                                    operational feasibility and cost\n 16    (during non business           ORD/OSIM\n                                                    implications of conducting and\n       hours) of the\n                                                    documenting annual UPS testing for\n       uninterrupted power\n                                                    ORD servers.\n       supply connected to\n       servers.\n       Direct facilities                            ORD non-concurs. ORD server rooms\n       management at all ORD                        are in compliance with the National Fire\n       facilities to move the                       Protection Association (NFPA)\n       server racks so that they                    standards. NFPA A.5.2.1.2 requires 18\n 17    are not located directly       ORD/OARS      inches of clearance below the sprinkler\n       under sprinkler heads or                     deflector. Installing a shield could create\n       water pipes, or install leak                 an obstruction that would interrupt the\n       shields on or above the                      water discharge and result in the loss of\n       server racks.                                life.\n       Direct facilities\n       management at all ORD\n       facilities to develop a\n                                                    ORD non-concurs. Server rooms are in\n       strategy that addresses\n                                                    compliance with the National Fire\n       limiting water damage to\n                                                    Protections Association (NFPA)\n       IT assets located in the\n                                                    standards. Fire protection systems are\n       server room and include:\n 18                                   ORD/OARS      zoned in a manner to only discharge\n       a. A 24 hours/day, 7\n                                                    water in the area(s) that require fire\n       days/week monitoring\n                                                    suppression. In addition, if a leak\n       provision.\n                                                    occurs, the water and/or air pressure will\n       b. Timely actions to be\n                                                    drop and result in an alarm.\n       taken in the event of\n       water leaks in the server\n       room.\n\n\n\n\n13-P-0252                                                                                    28\n\x0c                                                                                      Appendix C\n\n Agency Response to OIG Revised Recommendations\nSubsequent to the issuance of our draft report, we met with Agency officials to discuss their\nconcerns with the report\xe2\x80\x99s recommendations. Where appropriate, we modified the report\xe2\x80\x99s\nrecommendations to address management\xe2\x80\x99s concerns and provided the agency with a copy of the\nrevised recommendations for comment. Management concurred with four of the revised\nrecommendations, but provided suggested changes to the wording in seven of our revised\nrecommendations. OIG made no additional modifications based on ORD\xe2\x80\x99s suggested wording of\nour revised recommendations.\n\nManagement does not concur with the recommendations to improve the server room\nenvironmental controls to protect the servers from accidental water damage (recommendations\n17 and 18, respectively). Management states that installing a shield could create an obstruction\nthat could interrupt the water discharge and result in the loss of life. Management also states the\nfire protection systems are zoned in a manner to only discharge water in the area(s) that require\nfire suppression, and if a leak occurs, the water and/or air pressure will drop and result in an\nalarm. Our audit revealed many of the ORD servers in question sit directly under the sprinkler\nhead, and the risks from accidental water damage could be reduced by rearranging the servers\nwithin the room. However, it is incumbent upon management to assess the risks to assets and\ndocument decisions within the organization\xe2\x80\x99s information system security plan as required by\nfederal guidance. Therefore, the OIG made no additional modifications based on the suggested\nwording of our revised recommendations.\n\nThis appendix represents the crosswalk between the OIG revised recommendations and the ORD\nresponse to those revised recommendations, along with suggested wording to our revised\nrecommendations.\n\n\n\n\n13-P-0252                                                                                         29\n\x0cRec            OIG Revised Recommendation                           New ORD Response                  ORD Suggested Alternative/Revised                            OIG Overall Analysis\nNo.                                                                                                          Recommendation\n\n 2    Require facilities management personnel at the         Concur- however, ORD suggests          Direct facilities management at the Gulf       Although ORD concurred with our revised\n      Gulf Ecology Division to install locks on all          minor changes to the wording. In       Ecology Division to install locks on all       recommendation, no documented evidence was provided\n      facility exterior doors protecting information         addition, ORD has already              facility exterior doors protecting             to indicate ORD implemented the recommendation at all\n      technology assets. Additionally, require               implemented this recommendation        information technology assets.                 ORD locations. Therefore, this recommendation will\n      management at all other ORD facilities to verify       and we recommend that this be          Additionally, direct ORD facilities            remain open. Furthermore, the OIG made no additional\n      functioning locks on exterior doors containing         closed as completed.                   management to ensure that local security       modifications based on the ORD suggested wording of\n      information technology assets have been installed.                                            procedures and policies for locks on           our revised recommendation.\n                                                                                                    exterior doors protecting information\n                                                                                                    technology assets are being followed.\n\n\n\n 6    Require facilities management personnel at the         Concur- however, ORD suggests          Direct facilities management at the            Although ORD concurred with our revised\n      Atlantic Ecology Division and Ecosystems               changes to the wording. Also,          Atlantic Ecology Division and Ecology          recommendation and provided the OIG with suggested\n      Research Division to guard facility entrances and      ORD follows Interagency Security       Research Division to guard facility            wording for the recommendation, the OIG made no\n      exits to facilitate random checks of vehicles,         Committee physical security            entrances and exits to facilitate random       additional modifications to the revised recommendation\n      baggage, and property passes. Additionally,            standards, as applied to our           checks of vehicles, baggage, and property      since our recommendation to management is more direct\n      require management at all other ORD facilities to      facilities in collaboration with the   passes. Direct facilities management at        and action-oriented.\n      adhere to local facility security procedures if        Security Management Division.          ORD facilities to ensure that local security\n      random checks of vehicles, baggage, and property       Further, ORD facilities adhere to      procedures and policies for the guarding of\n      passes are required.                                   local security procedures and          facility entrances and exits and random\n                                                             policies appropriate to the local      checking of vehicles, baggage, and\n                                                             security environment. The              property passes, where applicable, are\n                                                             Ecosystems Research Division           being followed.\n                                                             revised the security policy to\n                                                             eliminate the conflict between\n                                                             policy and accepted procedure.\n\n\n 7    Require facilities management personnel at the         Concur- however, ORD suggests          Direct facilities management at the         Although ORD concurred with our revised\n      Atlantic Ecology Division to train all main-           changes to the wording. In             Atlantic Ecology Division to train all      recommendation and provided the OIG with suggested\n      entrance personnel to inspect badges, baggage, and     addition, please note that ORD         main-entrance personnel to inspect badges,  wording for the recommendation, the OIG made no\n      property passes. Additionally, require management      follows Interagency Security           baggage, and property passes.               additional modifications. We stand by our\n      at all other ORD facilities to train, if needed, its   Committee physical security                                                        recommendation, since we found no security personnel at\n      main-entrance personnel on any required local          standards, as applied to our           Direct facilities management at ORD         the facility\xe2\x80\x99s main entrance to conduct random inspections\n      facility security procedures for inspecting badges,    facilities in collaboration with the   facilities to ensure that local security    and monitor surveillance equipment while contracted\n      baggage, and property passes at building entrances.    Security Management Division.          procedures and policies for the guarding of security services personnel were on patrol of the facility.\n                                                             Further, ORD facilities adhere to      facility entrances and exits and random     The expectation would be that personnel performing the\n                                                             local security procedures and          checking of vehicles, baggage, and          security function in the absence of the contracted security\n                                                             policies appropriate to the local      property passes, where applicable, are      services personnel be trained and qualified to do so.\n                                                             security environment.                  being followed.\n\n\n\n\n13-P-0252                                                                                                                                                                                               30\n\x0cRec            OIG Revised Recommendation                          New ORD Response                ORD Suggested Alternative/Revised                           OIG Overall Analysis\nNo.                                                                                                       Recommendation\n\n 11   Require facilities management personnel at the         Non-Concur. ORD follows             Per 2750, ORD\'s alternative                   Management does not concur with this recommendation\n      Gulf Ecology Division and Atlantic Ecology             Interagency Security Committee      recommendation is:                            to improve CCTV functionality or to improve monitoring\n      Division to improve camera-monitoring systems          physical security standards.                                                      of ORD facilities. Management stated they follow\n      and lighting to increase visibility at sites; and to   Current standards suggest CCTV      Direct facilities management at the Gulf      Interagency Security Committee physical security\n      monitor external buildings, server rooms,              systems for facilities designated   Ecology Division and Atlantic Ecology         standards and these standards do not define minimum\n      hallways, storage areas, and entries and exits.        security levels 1, 2, and 3.        Division to improve camera-monitoring         coverage for CCTV systems. However, we found the lack\n      Additionally, require management at all other          Interagency Security Committee      systems and lighting to increase visibility   of adequate building lighting and CCTV coverage makes\n      ORD facilities to review camera-monitoring             does not define minimum             at sites and to monitor external buildings,   the system ineffective for properly monitoring the\n      systems and lighting to ensure the equipment is        coverage or minimum recording       server rooms, hallways, storage areas, and    facilities. Therefore, the OIG made no additional\n      functioning properly to facilitate monitoring of       capacity for CCTV systems.          entries and exits. Additionally, direct       modifications based on the suggested wording of our\n      external buildings, server rooms, hallways, storage                                        facilities management at ORD to ensure        revised recommendations\n      areas, and entries and exits.                                                              that local security procedures and policies\n                                                             Please note: Gulf Ecology           to improve the effectiveness of camera-\n                                                             Division, a Level 2 facility,       monitoring systems and lighting and the\n                                                             upgraded their existing CCTV        monitoring of external buildings, server\n                                                             system as did Atlantic Ecology      rooms, hallways, storage areas, and entries\n                                                             Division, a Level 3 facility.       and exits, where applicable, are being\n                                                                                                 followed.\n\n\n 12   Require facilities management personnel at the         Non-concur. ORD follows             Per 2750, ORD\'s alternative              Management does not concur with this recommendation\n      Gulf Ecology Division and Atlantic Ecology             Interagency Security Committee      recommendation is:                       to increase CCTV monitoring storage time. Management\n      Division to increase the CCTV monitoring storage       physical security standards.                                                 stated they follow Interagency Security Committee\n      time to meet EPA-approved storage requirements.        Current standards suggest CCTV      Direct facilities management at the Gulf physical security standards and these standards do not\n      Additionally, require management at all other          systems for facilities designated   Ecology Division and Atlantic Ecology    define minimum recording capacity for CCTV systems.\n      ORD facilities to review its practices to ensure       security levels 1, 2, and 3.        Division to increase the CCTV monitoring However, we found the CCTV storage capacity\n      CCTV monitoring storage time meets EPA-                Interagency Security Committee      storage time to meet EPA-approved        inadequate for aiding management\xe2\x80\x99s research if a security\n      approved storage requirements.                         does not define minimum             storage requirements. Direct facilities  breach or incident occurs. Therefore, the OIG made no\n                                                             coverage or minimum recording       management at ORD facilities to ensure   additional modifications based on the suggested wording\n                                                             capacity for CCTV systems.          that CCTV monitoring storage time is     of our revised recommendations.\n                                                                                                 increased to meet EPA-approved storage\n                                                                                                 requirements, where applicable.\n                                                             Please note: Gulf Ecology\n                                                             Division, a Level 2 facility,\n                                                             upgraded their existing CCTV\n                                                             system as did Atlantic Ecology\n                                                             Division, a Level 3 facility.\n\n\n\n\n13-P-0252                                                                                                                                                                                          31\n\x0cRec           OIG Revised Recommendation                    New ORD Response              ORD Suggested Alternative/Revised                           OIG Overall Analysis\nNo.                                                                                              Recommendation\n\n 14   Require facilities management personnel at the    Concur- however, ORD suggests   Direct facilities management at the           Although ORD concurred with our revised\n      Gulf Ecology Division, Atlantic Ecology Division, changes to the wording.         Atlantic Ecology Division to train all        recommendation and provided the OIG with suggested\n      and Ecosystems Research Division to update its                                    main-entrance personnel to inspect badges,    wording for the recommendation, the OIG made no\n      contingency plans to include:                                                     baggage, and property passes.                 additional modifications to the revised recommendation\n                                                                                        Additionally, direct management at all        since our recommendation to management is more direct\n         a. A list of required IT equipment provisions                                  other ORD facilities train, if needed, its    and action-oriented.\n            for essential staff in the event of an                                      main-entrance personnel on any required\n            emergency.                                                                  local facility security procedures for\n                                                                                        inspecting badges, baggage, and property\n         b. A list of local stores and vendors from                                     passes at building entrances.\n            which to procure IT equipment in order to\n            maintain operations in an emergency.                                        Direct facilities management at the Gulf\n                                                                                        Ecology Division, Atlantic Ecology\n         c. Procurement procedures and the names of                                     Division, and the Ecosystems Research\n            authorized purchase cardholders in COOP                                     Division to update its contingency plans to\n            plans for each ORD facility.                                                include:\n\n      Additionally, require management personnel at all                                    a. A list of required IT equipment\n      other ORD facilities to provide operational                                             provisions for essential staff in the\n      resources and facilities in the event of an                                             event of an emergency.\n      emergency.\n                                                                                           b. A list of local stores and vendors to\n                                                                                              procure IT equipment from in order\n                                                                                              to maintain operations in an\n                                                                                              emergency.\n\n                                                                                           c. Procurement procedures and the\n                                                                                              names of authorized purchase\n                                                                                              cardholders in contingency plans.\n\n                                                                                        Additionally, direct management to review\n                                                                                        and update, if necessary, its contingency\n                                                                                        plans to ensure resources are available and\n                                                                                        facilities remain operational, in the event\n                                                                                        of an emergency.\n\n\n\n\n13-P-0252                                                                                                                                                                                  32\n\x0cRec            OIG Revised Recommendation                          New ORD Response                ORD Suggested Alternative/Revised                     OIG Overall Analysis\nNo.                                                                                                       Recommendation\n\n 17   Require facilities management personnel at the        Non-Concur. ORD meets National                                             Moving the server racks or installing leak shields above\n      Gulf Ecology Division, Atlantic Ecology Division,     Fire Protections Association                                               them would have no effect on obstructing water discharge\n      and Ecosystems Research Division to move the          A.5.2.1.2 requirements for                                                 or result in the loss of life. The purpose of the leak shields\n      server racks so that they are not located directly    sprinkler installation. Installing a                                       is to reduce/prevent accidental water damage to the\n      under sprinkler heads or water pipes, or install      shield could create an obstruction                                         servers. Based on federal guidance, if management does\n      leak shields above the server racks to comply with    that could interrupt the water                                             not want to install the shields or move the servers, then it\n      NIST SP 800-53 requirements. If management            discharge and result in the loss of                                        should update the security plan and have the authorizing\n      decides to accept the risk of not relocating the      life.                                                                      official formally accept operating the server room with\n      server racks, then ORD should update the                                                                                         this know risk.\n      respective information system security plan and\n      have the authorizing official formally accept the\n      responsibility for operating the room with known\n      risks as required by federal policy.\n\n\n 18   Require facilities management personnel at all        Non-Concur. Server rooms are in                                            The OIG requested documentation governing the fire\n      ORD facilities to develop a strategy that addresses   compliance with the National Fire                                          system design and alarm system, and ORD has not\n      limiting water damage to IT assets located in the     Protections Association standards.                                         provided this information. Therefore, this\n      server room and include:                              Fire protection systems are zoned                                          recommendation will remain open.\n                                                            in a manner to only discharge\n         a. A 24 hours/day, 7 days/week monitoring          water in the area(s) that require\n            provision.                                      fire suppression. In addition, if a\n                                                            leak occurs, the water and/or air\n         b. Timely actions to be taken in the event of      pressure will drop and result in an\n            water leaks in the server room.                 alarm.\n\n      If management decides to accept this risk of not\n      developing a strategy to comply with NIST SP\n      800-53 requirements, then ORD should update the\n      respective information system security plan and\n      have the authorizing official formally accept the\n      responsibility for operating the room with known\n      risks as required by federal policy.\n\n\n\n\n13-P-0252                                                                                                                                                                                         33\n\x0c                                                                             Appendix D\n\n                                   Distribution\nOffice of the Administrator\nPrincipal Deputy Assistant Administrator for Research and Development\nAssociate Assistant Administrator for Research and Development\nDeputy Assistant Administrator for Management, Office of Research and Development\nDeputy Assistant Administrator for Science, Office of Research and Development\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nSenior Agency Information Security Officer\nAudit Follow-Up Coordinator, Office of Research and Development\n\n\n\n\n13-P-0252                                                                           34\n\x0c'